IT Security News Blast 5-1-2017

With mid-market companies feeling an increasing need to devote time and resources to network security, the security-as-a-service model is gaining traction, according to new research released yesterday by 451 Research. “The security challenge for mid-tier businesses is multi-dimensional,” Daniel Cummins, analyst at 451 Research, said in a statement. “For these businesses, everything seems to be increasing — attack frequency, compliance requirements, complexity, costs and the number of security products that need to be managed.

“Small Medium Businesses (SMB) are the main pillar of the nation’s economic growth. SMB made up 36.3% of the Malaysian economy in 2015, while accounting for 65.5% of total employment in 2015, making SMBs the biggest employer in Malaysia,” says Ng. “Given the economic importance of this sector, it needs to be protected. However, the majority of SMBs in Malaysia do not see security and protection of their IT infrastructure as necessary because they view themselves too insignificant for cybercriminals to attack.”

The DBIR, an analysis of more than 40,000 incidents (including 1,935 breaches) investigated by Verizon, shows that cybercriminals targeted manufacturing, the public sector and education the most, but Verizon senior network engineer Dave Hylender said the healthcare industry was hit the hardest with ransomware. “Organized criminal groups continue to utilize ransomware to extort money from their victims, and since a data disclosure in these incidents is often not confirmed, they are not reflected in statistical data,” Verizon wrote.

‘Orange Is the New Black’ Leak Shows: Hollywood Cybersecurity Lives and Dies With Third-Party Vendors

“Third-party vendors have been a problem for a long time and will continue to be in the future,” said PwC principal Mark Lobel during an interview with Variety Saturday. Lobel declined to specifically comment on this weekend’s Netflix leak, which appears to be based on a security breach at Larson Studios, an audio post-production company that has also been working on shows like “Fargo,” “Designated Survivor” and “NCIS Los Angeles.” But he argued that security for third-party vendors continues to be a weak link for Hollywood.

Though Shamoon has focused on Saudi Arabia, it is important to remember that system-wiping campaigns aren’t unique to the Middle East. Malicious actors can obtain technologies from the black market or contact other groups directly to learn new techniques. Malware and attack capabilities aren’t like guns, where there is a physical limitation on who can possess them. They can be shared, and once a technique is available, it becomes widespread.

There is no such thing as being 100% secure online, but if you’re careful to always use highly secure passwords, opt into multi-factor authentication when it’s available, stick with HTTPS-enabled websites for financial activity, refrain from using public WiFi for sensitive transactions, and generally take sensible precautions, then you can make it much harder for hackers to get a hold of your information. And if you’re a more difficult target, hackers are unlikely to waste the time it would take to crack your files when there are so many easy targets around.

Cybercriminals have taken notice of leaked government spying techniques

“Even though the actual source code for the exploit wasn’t included, it does give you data around how information was transferred….That would allow a hacker or somebody malicious to develop their own exploits based off of that information,” said Michael Buratwoski, the senior vice president of cybersecurity service at Fidelis Cybersecurity and a former law enforcement officer. The CIA has not confirmed the documents are real. The NSA did not respond to our request for comment.

NIST developed the CSF three years ago as a set of voluntary industry standards and best practices to help critical infrastructure organizations manage cybersecurity risks. It was intended to be effective and specific in its recommendations while remaining flexible enough for all organizations to implement it. The CSF makes complex information about cybersecurity and risk management more accessible. It creates a common vocabulary that personnel can understand at all levels of the organization from the server room to the boardroom.

Candy Alexander, a former CISO and independent consultant, said there are still more technical CISOs out there than business-minded ones, but the role in general is “morphing more into a business partner,” much like the CIO role. The challenge for CISOs today, Alexander said, is they “have to keep feet in both worlds” — understanding deeply technical issues regarding cybersecurity and IT architecture and the often political and contractual language of business.

Fortunately, security leaders have reached some level of consensus on much of what’s expected in the coming EO. Talking about cybersecurity at the executive level is a net positive, except when strong encryption is roundly dismissed. End-to-end encryption is the fundamental element that makes cyber defense possible and it’s remarkable to see that legislators think “the jury is still out” on this issue. Undoubtedly, newsmakers should revisit the way encryption is discussed. There needs to be a sense of ongoing urgency around adoption of strong encryption from the private sector to the general public.

Cybersecurity and the New Trump Administration: Your Top Ten Questions Answered

It appears the initial approach of the Trump Administration will be to build on the work done under the Obama Administration, so a certain measure of continuity should be expected. But as the Trump Administration moves forward, we expect to see an aggressive effort to have Congress approve a robust budget increase for cybersecurity. Indeed, due to the near-universal agreement of Congress that the United States needs to be doing more on cybersecurity issues, cybersecurity initiatives should provide the Trump Administration with an ability to achieve impactful bipartisan legislation, despite an increasingly partisan environment in Washington.

Specialists working at the National Cyber Security Centre (NCSC) were “stood up” over the past week and are ready to “surge” into action in case of a cyberattack on British democratic institutions, according to the Sunday Times. The center is part of the Government Communications Headquarters (GCHQ), Britain’s signal intelligence agency. The high alert was requested by PM Theresa May’s office, which asked the spy agency to make snap elections in June a top priority.

Cyber Shield 17 is part of the National Guard’s ongoing effort to improve Guard ability to respond to real-world cyber incidents. This is the sixth iteration of this training exercise. The exercise is divided into two phases: the first week offers participants the opportunity to hone their skills through academic instruction covering everything from the legal aspects of cyber operations to the nature of cyber threats to hands-on technical training. Equally important, the soldiers and airmen are learning their roles as part of the larger cyberspace defense community.

Now, the Chinese drone manufacturer DJI has decided to fight back, according to the Register. Software in the company’s drones can define no-fly zones that the aircraft are forbidden from entering. Typically, this geo-fencing technique is used them to prevent people from flying their craft into restricted areas, like airports and military bases. But DJI now appears to have added a series of locations across Syria and Iraq to the list, including the city of Mosul.

We’ll be seeing a lot more autonomous systems, we’ll be seeing enhanced humans and smart systems, devices, and organizations. When you put all of those together, and you start thinking about how to bring out the best of the Internet of Things rather than the worst of the Internet of Things, governance is really the key. That means understanding how to design and build and think about these systems. Who’s responsible and who’s accountable, what does it mean to be ethical, and what does it mean to promote the public good?

In any jurisdiction with medium-strength privacy regulations, scraping and publishing the data without consent probably represents a breach. For example Australian privacy analyst Stephen Wilson of Lockstep told The Register scraping a dating site is “an offence akin to theft by finding” (that is, if you find a suitcase stuffed with banknotes, you’re don’t get to keep it, you have to try and find the owner). Likewise, the popular hobby of inferring personally identifiable information from multiple datasets is a breach of privacy legislation in many countries.

The problem, according to the researchers [PDF] is that some of the apps are creating open ports on smartphones, which is not a new problem since the same issue was faced by computers but it is something new when it comes to smartphone technology. A team from the University of Michigan has tried to use a custom tool for scanning more than 24,000 applications, and 410 of them were found to be flawed. At least one of those apps has been downloaded so many times that there are potentially millions of Android devices which are vulnerable.

Today, a spokesperson for the National Security Agency announced that the agency would end the practice of “upstream” collection of messages sent by American citizens—messages that were not directed to targets of NSA intelligence collection but referred to “selectors” for those targets in the body of the communications. According to the statement, the NSA has put an end to that practice, which has been authorized since 2008 under the agency’s interpretation of Section 702 of the Foreign Intelligence Surveillance Act (FISA).

Broad Warrantless Surveillance Threatens to Undermine the Criminal Justice System

Congressional debates about the renewal of one of the United States’ most sweeping intelligence surveillance laws are heating up. Helping to shape the discussion are several newly released government documents that highlight the need to ask hard questions about all of the reasons the executive branch may be gathering private communications through warrantless surveillance. Some of the new information the documents provide reinforces our understanding of just how broad US warrantless intelligence surveillance is—and suggests how extensively this monitoring may be undermining fair trial and other rights.

They charged him with terrorism offense and the reason for this, as they claim, is the connection between his IP address and a series of posts allegedly inciting dissent and disorder. Bogatov, a mathematics lecturer at Moscow’s Finance and Law University was arrested on April 6, and the privacy activists are calling it a “gross misunderstanding.” The Russian authorities claim that Bogatov is the man responsible for at least two posts left on sysadmins.ru, where in one of them, he encouraged the protestors and called for a riot with “rags, bottles, gas, turpentine, styrofoam, and acetone.” This post was left under the alias “Airat Bashirov,” and the protest in question was an unsanctioned anti-corruption rally.

Want more cybersecurity information?

We may also occasionally send you information about Critical Informatics products and solutions; you can unsubscribe at anytime if desired.Leave this field empty if you're human:

About Critical Informatics

We are world-class information security professionals providing Managed Detection and Response services to help you be secure, compliant, and resilient against threats to the life safety, life-sustaining, and quality-of-life systems and services you provide to clients, customers, constituents, and communities.